cal/paper-dynasty-discord
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix: remove docker-compose.yml from tracking, add example template #136

Merged
cal merged 2 commits from fix/docker-compose-secrets-untrack into main 2026-04-01 18:02:36 +00:00
Conversation 0 Commits 2 Files Changed 2 +68
cal commented 2026-04-01 17:59:59 +00:00
Owner
Copy Link

Summary

  • docker-compose.yml contains hardcoded credentials (BOT_TOKEN, API_TOKEN, RESTART_WEBHOOK_URL) that must not be tracked in git
  • The *compose.yml rule in .gitignore already excluded the file from tracking (it was previously deleted in commit 60cd547), but no example template existed for contributors
  • Adds !docker-compose.example.yml negation to .gitignore so the example file can be committed
  • Adds docker-compose.example.yml with placeholder values for all secrets and paths

Changes

  • .gitignore — add !docker-compose.example.yml negation rule so the example is trackable while the real file remains excluded
  • docker-compose.example.yml — full structure matching the real file, with all secrets replaced by descriptive placeholders (your-bot-token-here, your-api-token-here, your-discord-webhook-url-here, etc.)

Credential exposure note

The real docker-compose.yml contains:

  • BOT_TOKEN — Discord bot token
  • API_TOKEN — Paper Dynasty API token
  • RESTART_WEBHOOK_URL — Discord webhook URL

None of these values appear in the example file. Refs paper-dynasty-database#9.

Test plan

  • Confirm docker-compose.yml is not staged or tracked after checkout (git ls-files docker-compose.yml returns empty)
  • Confirm docker-compose.example.yml is tracked (git ls-files docker-compose.example.yml returns the file)
  • Confirm no real tokens appear in docker-compose.example.yml

🤖 Generated with Claude Code

## Summary - `docker-compose.yml` contains hardcoded credentials (`BOT_TOKEN`, `API_TOKEN`, `RESTART_WEBHOOK_URL`) that must not be tracked in git - The `*compose.yml` rule in `.gitignore` already excluded the file from tracking (it was previously deleted in commit `60cd547`), but no example template existed for contributors - Adds `!docker-compose.example.yml` negation to `.gitignore` so the example file can be committed - Adds `docker-compose.example.yml` with placeholder values for all secrets and paths ## Changes - `.gitignore` — add `!docker-compose.example.yml` negation rule so the example is trackable while the real file remains excluded - `docker-compose.example.yml` — full structure matching the real file, with all secrets replaced by descriptive placeholders (`your-bot-token-here`, `your-api-token-here`, `your-discord-webhook-url-here`, etc.) ## Credential exposure note The real `docker-compose.yml` contains: - `BOT_TOKEN` — Discord bot token - `API_TOKEN` — Paper Dynasty API token - `RESTART_WEBHOOK_URL` — Discord webhook URL None of these values appear in the example file. Refs paper-dynasty-database#9. ## Test plan - [ ] Confirm `docker-compose.yml` is not staged or tracked after checkout (`git ls-files docker-compose.yml` returns empty) - [ ] Confirm `docker-compose.example.yml` is tracked (`git ls-files docker-compose.example.yml` returns the file) - [ ] Confirm no real tokens appear in `docker-compose.example.yml` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
cal added 1 commit 2026-04-01 18:00:00 +00:00
fix: remove docker-compose.yml from tracking, add example template
All checks were successful
Ruff Lint / lint (pull_request) Successful in 21s
Details
fb545ef34a 
docker-compose.yml contains hardcoded credentials (BOT_TOKEN, API_TOKEN,
RESTART_WEBHOOK_URL) and should never be committed. The *compose.yml gitignore
rule already excluded it but docker-compose.example.yml was not provided as a
reference for contributors.

- Add !docker-compose.example.yml negation to .gitignore so example is tracked
- Add docker-compose.example.yml with placeholder values for all secrets

Closes paper-dynasty-database#9

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cal reviewed 2026-04-01 18:01:30 +00:00
cal left a comment
Author
Owner
Copy Link

Security Review — APPROVED (no real secrets found)

Reviewed all values in docker-compose.example.yml for real credentials or secrets. All sensitive fields use explicit placeholder strings:

  • BOT_TOKEN=your-bot-token-here
  • API_TOKEN=your-api-token-here
  • DB_PASSWORD=your-db-password-here (both discord-app and db services)
  • GUILD_ID=your-guild-id-here
  • SCOREBOARD_CHANNEL=your-scoreboard-channel-id-here
  • RESTART_WEBHOOK_URL=your-discord-webhook-url-here

Non-sensitive values (DB_USERNAME=postgres, DB_URL=db, DB_NAME=postgres, TZ=America/Chicago, PYTHONHASHSEED=1749583062) are either defaults or non-secret configuration.

The .gitignore change correctly un-ignores docker-compose.example.yml via the ! negation pattern while keeping all real compose files ignored.

No real credentials found. Clean to merge.

**Security Review — APPROVED (no real secrets found)** Reviewed all values in `docker-compose.example.yml` for real credentials or secrets. All sensitive fields use explicit placeholder strings: - `BOT_TOKEN=your-bot-token-here` - `API_TOKEN=your-api-token-here` - `DB_PASSWORD=your-db-password-here` (both `discord-app` and `db` services) - `GUILD_ID=your-guild-id-here` - `SCOREBOARD_CHANNEL=your-scoreboard-channel-id-here` - `RESTART_WEBHOOK_URL=your-discord-webhook-url-here` Non-sensitive values (`DB_USERNAME=postgres`, `DB_URL=db`, `DB_NAME=postgres`, `TZ=America/Chicago`, `PYTHONHASHSEED=1749583062`) are either defaults or non-secret configuration. The `.gitignore` change correctly un-ignores `docker-compose.example.yml` via the `!` negation pattern while keeping all real compose files ignored. **No real credentials found. Clean to merge.**
Claude approved these changes 2026-04-01 18:02:28 +00:00
Claude left a comment
Collaborator
Copy Link

Approved via pd-pr

Approved via pd-pr
cal added 1 commit 2026-04-01 18:02:32 +00:00
Merge branch 'main' into fix/docker-compose-secrets-untrack
All checks were successful
Ruff Lint / lint (pull_request) Successful in 15s
Details
4bda3bf0de
cal merged commit b65d91a65b into main 2026-04-01 18:02:36 +00:00
cal deleted branch fix/docker-compose-secrets-untrack 2026-04-01 18:02:36 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Claude
Labels
Clear labels   
ai-changes-requested

   
ai-failed

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-working

   
ai-working

   
bug

   
enhancement

   
feature

New feature proposal

  
in-queue

Approved for development

  
performance

   
security

   
tech-debt

   
todo
No Label
ai-changes-requested
ai-failed
ai-pr-opened
ai-reviewed
ai-reviewing
ai-working
ai-working
bug
enhancement
feature
in-queue
performance
security
tech-debt
todo
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-discord#136
No description provided.
Delete Branch "fix/docker-compose-secrets-untrack"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?